Fake Payroll Update Requests on Microsoft Teams
Attackers impersonate employees in Microsoft Teams chats to request direct-deposit changes, diverting wages by exploiting the platform's internal trust.
Part of: Fake Payroll Update Email Scam
Last reviewed: 1 June 2026
Payroll diversion has extended into Microsoft Teams, where a chat appearing to come from a colleague feels internal and trustworthy. An attacker who compromises an account or uses guest access can message payroll or HR to request a bank-detail change with less scrutiny than a formal email might attract.
The informal, immediate nature of Teams chat encourages quick handling of what looks like a routine request. Because the message carries a recognised name, payroll staff may process the change without the independent verification that protects against diversion.
How this scam works on Microsoft Teams
Having gained access, the attacker messages payroll or HR through Teams posing as an employee, asking to update their direct-deposit details. They may explain the change as a switch of banks and request it before the next pay run.
The chat format pressures a fast response, and the recognised profile reduces suspicion. The attacker supplies new account details and relies on the change being applied without a confirming call to the genuine employee.
If payroll updates the record, the next salary payment is diverted to the criminal's account. The fraud usually surfaces only when the real employee reports missing pay, after the funds have been moved.
Common red flags
- A Teams chat requesting a change to an employee's direct-deposit details
- A request made just before a pay run
- An external-guest account using an employee's name
- A bank-detail change requested only through chat
- Phrasing or behaviour unlike the employee's norm
- Pressure to apply the change quickly
How to protect yourself
- Verify payroll changes by phone with the employee on a known number
- Do not action direct-deposit changes from chat alone
- Require a secondary verification step for all payroll changes
- Restrict and label external-guest access in Teams
- Enable multi-factor authentication on all accounts
- Apply a confirmation window before new bank details take effect
How to report it
- Report the compromised or impersonating account to IT security
- Notify your bank immediately if any pay was diverted
- File a report with your national cybercrime or fraud centre
Frequently asked questions
An employee messaged payroll on Teams to change their bank details. Is chat enough to action it?
No. A compromised account or a guest using an employee's name can send such a request. Confirm any direct-deposit change by phone with the employee on a known number before updating payroll, regardless of the channel.